Security of Trusted Repeater Quantum Key 
Distribution Networks 



Louis Salvail 1 , Momtchil Peev 2 , Eleni Diamanti 3 ' 4 , Romain Alleaume 4 , 
Norbert Liitkenhaus 5 ' 6 , Thomas Langer 2 

1 Universite de Montreal, Montreal, Canada 
2 Austrian Research Centers GmbH - ARC, Vienna, Austria 
3 Laboratoire Charles Fabry de Vlnstitut d'Optique, Palaiseau, France 

4 Telecom ParisTech & LTCI - CNRS, Paris, France 

5 University Erlang en- Nuremberg, Erlangen, Germany 

Institute for Quantum Computing, University of Waterloo, Waterloo, Canada 

April 27, 2009 

Abstract 

A Quantum Key Distribution (QKD) network is an infrastructure capable of per- 
forming long-distance and high-rate secret key agreement with information-theoretic 
security In this paper we study security properties of QKD networks based on 
trusted repeater nodes. Such networks can already be deployed, based on current 
technology. We present an example of a trusted repeater QKD network, developed 
within the SECOQC project. The main focus is put on the study of secure key 
agreement over a trusted repeater QKD network, when some nodes are corrupted. 
We propose an original method, able to ensure the authenticity and privacy of the 
generated secret keys. 

Keywords: quantum cryptography, quantum key distribution, QKD network, trusted 
repeater , secure key agreement, secret sharing 

1 Introduction 

Quantum Key Distribution (QKD), often called in a more general context Quan- 
tum Cryptography, is a technology that uses the properties of quantum mechanical 



systems in combination with information theory to achieve unconditionally secure 
distribution of secret keys. In the last years, the field has rapidly evolved in terms 
of both theoretical foundations and experimental implementations, with impressive 
results [DIllE]. 

The use of QKD has been, until now, mostly limited to point-to-point commu- 
nication scenarios: the goal being to allow two remote parties linked by a quantum 
channel and an authentic classical channel to share a common random binary string 
- a key - that remains unknown to a potential eavesdropper, and to achieve in 
practice the longest possible communication distance and the highest possible key 
generation rate. Despite the progress in this direction, the performance of stand- 
alone point-to-point QKD links will however remain intrinsically limited in terms 
of achievable distance and rate. Building QKD networks based on an ensemble of 
QKD links and intermediate nodes, could lift these limitations. The purpose of 
this paper is to discuss the security aspects of QKD networks whose deployment is 
feasible with current technology: trusted repeater QKD networks. The principle of 
such networks consists in using trusted repeater nodes as classical relays between 
QKD links. Indeed, provided that some level of trust can be granted to the network 
nodes, such networks can guarantee unconditionally secure key exchange between 
multiple users over potentially unlimited distances. 

The material is organized as follows. Section [2] defines the setting of this work: 
key agreement based on Quantum Key Distribution. It introduces the crypto- 
graphic framework of Quantum Key Distribution, focusing on its most striking 
cryptographic feature: the ability to establish secret keys with information-theoretic 
security. Section [3] then describes the different possible types of QKD networks and 
presents an example of a trusted repeater QKD network: the Secoqc QKD net- 
work. Section [4] is then devoted to the full analysis of secure key agreement in a 
trusted repeater QKD network in the case when some nodes may be arbitrarily ma- 
licious (or corrupt). We propose a method allowing the communicating parties to 
ensure the authenticity of a generated secret key without compromising its privacy. 
We also discuss practical issues and provide a security analysis for this method. 
Finally, in Section [5j we summarize our results and discuss possible modifications 
in the model assumptions. 

2 The Key Establishment Problem and Quan- 
tum Key Distribution 

In this work, we regard QKD as a cryptographic primitive, that is as a low-level, 
universal cryptographic algorithm which can be used as a building block for cre- 
ating highly complex, dedicated secure communication applications. In this sense, 
the task of QKD is key distribution (or to use the proper cryptographic term key 
establishment) between two legitimate parties at two distant locations. 
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Key Establishment flj is a standard security task, which is solved either by send- 
ing the key from one party to the other over a channel assumed to be secure (key 
transport) or by applying methods allowing the two parties to generate a common se- 
cret key out of inputs provided by both parties (key agreement). Key establishment 
methods are based on protocols, including specific, locally executed, algorithmic 
steps and public communication. Assumptions on the intrinsic properties of the 
communication channels, the power of the adversary, or the resources available to 
the legitimate parties yield a variety of models, which depending on the methods 
applied offer different levels of security. 

In Section 2.1 we introduce information-theoretic security - a security level, 
provided by QKD, which is also central to all protocols discussed in this paper. 
Section [2.2| gives a short overview of models allowing information-theoretic security 
followed by a detailed discussion of the crypto-properties of QKD, which are the 
corner stone of the subsequent constructions. Section |2.3| addresses then perfor- 
mance and applicability issues of typical realizations of this primitive and argues on 
the necessity of designing QKD networks. 



2.1 Information- Theoretically Secure Key Agreement 

It is beyond the scope of the current paper to address in detail all possible levels 
of security of key establishment models. We will be solely interested in the highest 
level of security, known as information-theoretic (or unconditional) security. The no- 
tion of information theoretic security (ITS), which is based on probability-theoretic 
statements, goes back to Shannon (5J [6]. This notion was first introduced in the 
context of a key agreement process by Wyner |7 . An exact definition depends on 
the precise model assumptions. Here we describe ITS key agreement in general 
terms (following |8]) of the two underlying essential ingredients Authenticity and 
Privacy. 

Two parties Alice and Bob perform a key establishment process, as a result of 
which they obtain the keys K A and K B respectively of length n. We say that the 
key agreement is e(n)-secure if there exists a perfectly random, uniformly distributed 
key K of length n, for which 

i. (Authenticity): The probability that ((K A / K) \f (K B / K)) < e'(n) OR 

the key agreement process is terminated with notification of failure, 

ii. (Privacy): The information of the adversary Evq^jis bounded by I(K : E) < 

e"(n), 

whereby e(n) = e'(n) + e"(n). The intuitive meaning of this definition is that e(n) 
security is achieved when the probability that Alice and Bob do not abort if the 

^ere the information of the adversary is symbolically meant in a generic sense. Strictly speaking 
mutual information I(K : E) is defined only in the sense of Shannon entropy, i.e. when the the knowledge 
of the adversary can be characterized by a probability distribution. See Section |2.2| for an adversary 
holding quantum information. 
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keys differ or that the adversary gets non-negligible information on the final key is 
at most e(n). In other words, except with probability e(n) Alice and Bob generate 
an identical key, which is unknown to the eavesdropper. It is important to note here 
that ITS definitions and proofs, regard keys like K, K A , K B , as random variables, 
depending on an input, which is different for different models. Keys shared finally 
by Alice and Bob are actually values of these random variables. For the sake of 
simplicity, we ignore this difference and use capitals in what follows. 

2.2 QKD - an ITS Cryptographic Key Agreement Prim- 
itive 

It is well known [H] |H] that no cryptographic method relying solely on computation 
and communication over insecure communication channels can ensure ITS key es- 
tablishment. In any case additional resources given to Alice and Bob or alternatively 
assumptions limiting the information available to the eavesdropper are needed to 
this end. ITS key agreement is possible in a number of scenarios, based on bounded 
knowledge available to the adversary, due to e.g. intrinsic noise in the commu- 
nication channel or limitations of the memory capacity of the adversary (see [8] 
and references therein). Alternatively ITS key agreement can also be achieved as 
a consequence of the quantum nature of certain resources, e.g. a quantum com- 
munication channel (needed for QKD), or distributed entanglement (needed for 
quantum teleportation [9]), if such resources are available to the legitimate parties, 
as these can render unfeasible a number of eavesdropping activities. All methods in 
the discussed class additionally assume that classical communication channels are 
authentic, i.e. that the adversary is restricted to passive eavesdropping on these 
channels^} Recently it was found that all these methods can be formulated using a 
unified quantum approach [ID], based on embedding the purely classical scenarios 
in an equivalent quantum framework. 

Thus, from a logical point of view, QKD is just one of many methods enabling 
ITS key agreement. From a more technological perspective, QKD is currently by 
far the least restrictive approach. Indeed the eavesdropper is not limited by as- 
sumptions, while the additional resource required - stable quantum communication 
(transmission of light quanta over optical fibers or through free space) between Alice 
and Bob is already by no means a mere theoretical construction but rather an ad- 
vanced engineering practice (see e.g. [H]). Simultaneously, real-time key agreement 
rates at distances below 100 km reach practically usable ranges |12j . 

A QKD protocol generically includes two main activities: the legitimate par- 
ties communicate over a quantum channel to get correlated bit strings and perform 
post-processing over the public authentic channel to get identical secure keys or 
notified termination in case of technical problems or significant eavesdropping ac- 

2 As pointed out below, this additional assumption can be lifted by applying ITS message authentica- 
tion schemes. 
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tivity (see e.g. [3] for details). Different methods to get correlations and different 
types of post processing yield different QKD protocols. For a number of studied 
QKD protocols one can derive full security proofs, which lead to explicit expres- 
sions for the information-theoretically secure key generation rate (i.e. the length of 
the generated secure key per unit time) . Among the several proof techniques that 
have been used in the past years, the most important ones rely on the uncertainty 
principle |13[ [TS| [T5| [T6] , the correspondence between entanglement distillation and 
classical post- processing |17[ I18j . or information-theoretic notions and in particu- 
lar smooth Renyi entropies |19l l20l I2T] . The ultimate reason for ITS in this case 
is the fact that eavesdropping attempts by the adversary on the quantum chan- 
nel, unavoidably modify quantum signals and leave signatures in form of error. 
The post-processing phase allows to eradicate the knowledge acquired by moderate 
eavesdropping or to recognize that information leakage is irreparable and terminate 
the protocol. 

Information theoretic security as introduced in Section |2.1| above, ensures in 
general composability [22 , which means that the security of the key is guaranteed 
regardless of the application it is used for: if an e-secure key is used in a ei-secure 
task, the composed task would be (e + ei)-secure. The importance of this issue for 
QKD was recognized only recently [22]. The problem was that initial security stud- 
ies adopted a security definition which was not composable. Early security proofs 
defined QKD security by analogy with the classical version of the Privacy require- 



ment in Section 2.1: The eavesdropper, who holds a quantum state pe, performs 
the measurement Ai that maximizes her mutual information with the key K. This 
defines the so-called accessible information / acc (i^ : pe) = max E= _ W ( pE ) I(K : E), 
and the security criterion reads / acc (i^ : pe) < e{n). This was shown to be not com- 
posable [23] . The main problem is that this definition of security assumes that the 
eavesdropper transforms her quantum state into a classical one during key agree- 
ment. In fact she can keep her quantum state and eventually use it to break a 
composed task when the QKD key is used later on. A definition that leads to 
composability for QKD requires a quantum reformulation of both ingredients (Au- 
thenticity and Privacy) of ITS. These can be embedded into a single composable 
requirement [22] utilizing trace-norm, |||/0_ft-_B — tk ® Pe\\i < s(n), where tk is the 
completely mixed state on K. 

Composability of QKD key has many implications. The most immediate one 
is related to relaxing the assumption on availability of a public authentic chan- 
nel. From a practical point of view this assumption is indeed too strong. Message 
modification on classical channels is a simple technical task. This would, however, 
allow the eavesdropper to easily mount man-in-the middle attacks by cutting both 
the classical and the quantum channels, introducing corresponding QKD quantum 
technology, and carrying out two QKD protocols, one with Alice pretending that 
she is Bob and one with Bob taking over the role of Alice. Fortunately, it is possible 
to give up the authenticity assumption by augmenting pure QKD with a message 
authentication scheme, which can guarantee integrity of classical communication 
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with information-theoretic security. This is achieved by means of continuous usage 
of secret key in classical communication. In particular, each message is sent together 
with a hash value, where hashing is performed with a keyed hash function for each 
message whereby the function itself is chosen from some almost universal family 
of functions, which is indexed by the secret key |24l 125] . The rate of key generation 
of pure QKD is higher than the key usage for message authentication. Therefore, 
putting things together, QKD is an information-theoretically secure key agreement 
process, which needs a fixed (small) amount of pre-distributed initial secret key to 
start with. Due to composability, subsequent authentication of communication can 
be performed using part of the newly generated ke>rj 



2.3 QKD Links: Performance and Application Domains 

Having clarified the security of QKD we turn to more practical issues like the con- 
nectivity it allows and its typical performance. 

As far as connectivity is concerned it should be noted that QKD is intrinsi- 
cally a point-to-point primitive (need for dedicated direct connection by a quantum 
channel, necessity of peer-to-peer key pre-sharing) , and is thus suitable for key es- 
tablishment in a closed community. Further it should be pointed out that, as a 
consequence of composability, if the QKD-generated key is used for an information- 
theoretically secure communication, provided by One Time Pad (OTP) encryption 
together with unconditionally secure authentication, then the composed protocol re- 
alizes an unconditionally secure channel - a point-to-point QKD lin^ which among 
other tasks, can be used for key transport as discussed in the subsequent section. 

Performance on the other hand is given by the secret key generation rate K(£), 
which is a characteristic function of distance I depending on the QKD protocol and 
the specific implementation of a QKD link. This rate clearly varies from system 
to system but in general terms it follows the curve of Fig. [TJ As shown in this 
figure, the logarithm of the rate of secret bit agreement initially falls at a given 
power of the channel attenuation (depending on the implemented QKD protocol), 
and features an exponential drop-off at long distances. In addition to reliability 
and stability, the performance of practical QKD systems is usually measured by the 
maximum communication distance they can reach, D max , and the secure key gener- 
ation rate they can achieve at a useful range. The limiting factors vary greatly for 
different protocols and implementations and range from hardware-related problems 
such as the high dark count rates in typical single-photon counting detectors at 
telecommunication wavelengths to algorithmic issues such as the finite efficiency of 

3 It is remarkable that the cryptographic key agreement primitive most widely used in current security 
practice - namely the Diffic-Hcllman key agreement protocol |26j . is also prone in its pure form to man- 
in-the-middle attacks and for this reason has to be augmented by additional measures. 

4 A QKD link is realized by two quantum optics and processing devices - QKD devices - usually a 
sender and a receiver, deployed with Alice and Bob respectively, which generate key and optionally can 
perform simple key management and ITS encryption/authentication. 
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Figure 1: Typical profile of the rate versus distance curve for a single QKD link. 



error-correcting codes [3]. The distance at which direct QKD between two parties 
is possible is roughly limited to 100 km in optical fibers for current systems, with 
a possibility of reaching up to 200 km in the next few years, while the secret key 
generation rate is currently limited to a few tens or hundreds of kbit/s depending 
on the distance. 

It is clear from the above discussion that QKD links suffer from intrinsic lim- 
itations: they cannot be operated over arbitrarily long distances and their use is 
restricted to point-to-point key exchange/secure communication between the two 
endpoints of the quantum channel. A natural question that arises then is what 
could be the application field of a technology with such characteristics. Obviously, 
QKD links can be directly used in an environment, in which highly secure com- 
munication is required between two parties over a relatively short distance. If 
information-theoretic secure communication is the target, it can be achieved at 
low rate (i.e. around 10-20 kbit/s). If broadband secure communication is needed 
instead, then unconditionally secure communication is out of reach at a reasonable 
cost. A highly secure point-to-point communication is still possible by combining 
a pair of QKD devices with high end symmetric encryptors (typically running the 
AES encoding scheme). In this case, the limit is set by the speed of encryption 
(around 10 Gbit/s) whereas the key is exchanged at a rate allowed by the QKD 
device-pair. It should be stressed that although the overall security offered by such 
QKD link-encryptors is no longer information-theoretic it greatly exceeds the one 
provided by any other currently existing method. Today, several QKD-based link 
encryptors are commercially available [12] , but their range of applications in prac- 
tical communication systems is inevitably rather limited. A better way to exploit 
the extremely high security standard offered by QKD and to extend the application 
range to long-distance and multiple-user key establishment is to combine several 
QKD links in order to form a QKD network. Indeed, as we will see in the next 
sections, a number of the aforementioned limitations of QKD links can be overcome 
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when it is possible to achieve QKD-based unconditionally secure key agreement 
over a network |27| [2H] . From this perspective the development of QKD network 
architectures appears as a necessary step in order to achieve effective integration of 
QKD into secure communication networks. 

3 QKD Networks 

We define a QKD network as an infrastructure for ITS key establishment, which 
relies on quantum resources available to the legitimate participants, while not im- 
posing bounds on the eavesdropping capabilities of the adversary, and allows connec- 
tivity of parties that do not share a direct, fixed quantum channel. Optionally this 
infrastructure should also allow lifting the restrictions typical for stand alone QKD 
links - enable ITS key establishment over long distances (e.g. continental scale), in- 
crease and maximize the throughput capacity (the key generation rate) and ensure 
robustness against denial of service attacks and technical service break-downs. 

The first proof-of-principle QKD network demonstrator, the "DARPA Quantum 
network", was deployed between Harvard University, Boston University and BBN 
in 2004 [29) 130] . A highly integrated network demonstrator, developed within the 
framework of the integrated FP6 Project Secoqc, which ensures network-wide ITS 
key establishment, was deployed, tested, and demonstrated in Vienna 

3.1 Types of QKD Networks 

The precise notion of ITS security depends on the particular QKD network model. 
For this reason we start by considering the different QKD network types. These have 
been known for a long time now and have been suggested already in [31]. There 
are two principal approaches: a) quantum channel switching paradigm - creating 
an end-to-end quantum channel (or more generally distributing quantum resources) 
between Alice and Bob, or b) trusted repeater paradigm - transport of key over many 
intermediate nodes, which are (at least partially) trustworthy i.e. not infiltrated by 
the eavesdropper. The two approaches are essentially different and we shall discuss 
them one after the other. 

3.1.1 QKD Networks With Quantum Channel Switching 

Optically switched quantum networks: These are networks in which some clas- 
sical optical function, like beam splitting, switching, multiplexing, demultiplexing, 
etc., can be applied to the quantum signals sent over the quantum channel. The 
interest in such optical networking capabilities in the context of QKD networks is 
that they allow going beyond the two-user QKD. Moreover, this can be done with 
current technology. Active optical switching can be thus used to allow the selective 
connection of any two parties with a direct quantum channel (the BBN DARPA 
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quantum network contained an active 2-by-2 optical switch that could be used to 
actively switch between two network topologies). Optical functions can thus be used 
to realize multi-user QKD, and the intermediate sites do not need to be trusted, 
since quantum signals are transmitted over a quantum channel with no interruption 
from one end-user QKD device to the other one. In this sense the security analysis 
coincides with that for a stand-alone QKD link. This QKD network model can how- 
ever not be used to extend the distance over which keys can be distributed. Indeed, 
the extra amount of optical losses introduced in the switching devices will in reality 
decrease the transmission capacity of quantum channels and thus the maximal key 
distribution distance. In addition, in a fully switched optical network any two par- 
ties have to share an initial secret to be able to start the key agreement process. So, 
overall, this type of networks are not scalable and thus suitable for long distance 
QKD. Instead, they can be used in local or metropolitan areas. 
Quantum repeater based QKD networks: To be able to extend the distance 
over which quantum key distribution can be performed, it is necessary to fight 
against propagation losses that affect the quantum signals as they travel over the 
quantum channel. Quantum repeaters [32 can overcome the loss problem and can be 
used to distribute entanglement between any two parties and therefore effectively 
create an end-to-end quantum channel across the network. A quantum repeater 
based network can thus be seen as a "fully quantum" network. As intermediate 
network nodes do not get any information in the process of key generation, end- 
to-end unconditional security is guaranteed without the need to trust these nodes. 
In this sense the security analysis also coincides with that for a stand-alone QKD 
link. Quantum repeaters however rely on elaborated quantum operations and on 
quantum memories that cannot be realized with current technology. As discussed 
in [33], quantum nodes called quantum relays could also be used to extend the 
distance over which secure QKD can be performed^} Quantum relays are simpler 
to implement than quantum repeaters since they don't require quantum memories. 
However, even quantum relays have not yet been technically realized. Moreover, 
quantum relays would not allow secure QKD over arbitrary long distances. 

3.1.2 Trusted Repeater QKD Networks 

Trusted repeater QKD networks have been discussed in various contexts since the 
advent of Quantum cryptography. Below we give a more formal definition, which 
in turn simplifies the subsequent security analysis of such networks. 

D Both quantum repeaters and quantum relays are devices that allow to teleport qubits over several 
quantum channel segments, whereby entangled photons are distributed along the separate segments. 
The main difference between quantum repeaters (see [5] for a simple model of a quantum repeater) and 
quantum relays is that while in a quantum repeater received photons are kept in quantum memories in 
order to bring entangled pairs from adjacent segments in correspondence, in a quantum relay one waits 
for the event when all photons sent along the different segments are received - i.e. none is absorbed. 
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We define a QKD trusted repeater network as an infrastructure composed of 
QKD links, i.e. from a structural point of view pairs of QKD devices associated 
by a quantum and a classical communication channel, each link connecting two 
separate locations or nodes. A QKD trusted repeater network is then a connected 
graph, the vertices of which are nodes, and the edges - QKD links. 

We assume further that initial secret keys are only shared between neighboring 
nodes (i.e. ones directly connected by a QKD link) and not between any arbitrary 
pair. This assumption ensures that the number of initial secrets to be shared scales 
(for wide area networks) with the number of network nodes and not with their 
square. This in turn largely simplifies the initialization of a QKD network and the 
adoption of additional nodes during operation. 

QKD networks based on trusted key repeaters follow a simple principle: global 
key distribution is performed over a QKD path, i.e. a one-dimensional chain of 
trusted repeaters connected by QKD links, establishing a connection between two 
end nodes. Secret keys are forwarded, by unconditionally secure key transport along 
the QKD links of the path in a hop-by-hop fashion. (As mentioned above uncon- 
ditionally secure transport over separate QKD-links is ensured by One Time Pad 
encryption and ITS authentication, both realized with a local QKD key.) End-to- 
end information-theoretic security is thus obtained between the end nodes, provided 
that all the intermediate nodes can be trusted, as these possess the full commu- 
nicated information. The trusted nodes play thus the role of (classical) trusted 
repeaters. This architecture can be used to build a long-distance QKD network. 
The advantage of such quantum networks is that they rely on QKD for link key 
establishment, which guarantees that it is impossible to compromise the network 
key distribution by direct attacks on the links. 

Trusted repeater QKD networks can be implemented with today's technology 
since the nodes are essentially QKD devices plus classical memories and processing 
units placed within secure locations. This concept had been tested in the BBN QKD 
network and is also the basis of the Secoqc QKD network, which is exclusively 
based on the trusted repeater approach. 

3.2 Security Framework and the Architecture SECOQC 

In the trusted repeater paradigm one can differentiate between two basic security 
frameworks: 

The first trust framework, already outlined above, is highly realistic and relevant 
for internal networks belonging to a spatially distributed entity such as an industrial, 
financial, governmental, or military institution, the backbone of a telecommunica- 
tion provider, etc. This case is the main focus of Secoqc. The all-nodes-trusted 
assumption obviously leads to a straightforward cryptographic conclusion on the 
security of network connectivity. Together with the guarantee for an information- 
theoretically secure transport from node to node provided by the underlying QKD 
links it ensures unconditionally secure transport between Alice and Bob. Indeed in 
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this case the eavesdropper is restricted to attacking the QKD links, which at best 
can result in a denial of service but not in a gain of any information on the (key) 
material which is securely transported. While this argument ultimately settles the 
security analysis in the current model, a practical network realization requires ad- 
dressing a multitude of architectural tasks, which are of more applied nature. These 
tasks include: 

• How to design the architecture of network nodes so that they can provide a 
universal key distribution mechanism, while possibly integrating heterogeneous 
QKD links [341? (Here heterogeneity is meant in terms of the background QKD 
protocol and device engineering.) 

• How to specify the peer-to-peer key transport protocols? 

• Which particular information-theoretically secure message authentication code 
to select for implementation? 

• How to design end-to-end network routing and transport protocols, taking into 
account the unconditionally secure nature of the transport |28j ? 

• How to optimally plan the deployment of QKD networks, from a cost perspec- 
tive, based on a study of the relation of cost and topology [44 ? 

All of these issues have been at the core of the development work of Secoqc. 
They have been addressed by a broad interdisciplinary team, and important ad- 
vances have been made in all mentioned area^j The outcome is a layered network 
model effectively decoupling all classical communication as well as the network and 
key transport functionality from the operation of the QKD devices. As a result, the 
Secoqc network involves the ability to integrate, by using standard interfaces, a 
completely heterogeneous physical layer consisting of different types of QKD devices 
from multiple providers with a homogeneous network-wide end-to-end key transport 
layer. The project has put in operation and tested a highly integrated prototype 
in the metropolitan fibre-ring of Siemens in the city of Vienna (see Fig. [2] for a 
schematic representation]. A public demonstration of this prototype took place 
October 8, 2008. 

The second framework type assumes that a limited number of nodes are taken 
over by the adversary or corrupted. Obviously this framework is much more chal- 
lenging from a cryptographic point of view. It is closely related to, although distinct 
from, a classical problem dedicated to the study of secure message transmission over 
untrusted networks In the latter model, it is assumed that any node of the 

network can be taken over by the adversary but the number of corrupted nodes 

6 It should be noted that currently the results are only partially publicly available, as at present 
the project team continues the effort of preparing internal deliverables for final publication. Unpub- 
lished deliverables include: O. Maurhart, "Q3P: A Proposal"; M. Fitzi, "General Authentication Frame- 
work in QKD"; J. Bouda, et al., "SECOQC Node Keystore Module and Crypto Engine"; J. Bouda, et 
al., "Encryption and Authentication in SECOQC". 
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Figure 2: The Secoqc network prototype in Vienna - a sketch. 



is upper bounded by some threshold. Apart from the threshold, adversaries can 
be arbitrarily malicious or Byzantine. Any such adversary that can take over no 
more than t nodes is called t-bounded. In Section [4j we study the same problem for 
trusted repeater QKD networks, where some nodes are corrupted and Byzantine. 
We discuss an essential difference with respect to the classical case: a condition 
that protocols in the classical setting should satisfy is too strong when private links 
between neighbouring nodes are implemented using QKD. 

It should be noted that this second framework is highly relevant for QKD net- 
works owned by several, possibly competing entities, and mimics realistic telecom 
network settings. It requires further research and in particular addressing of all 
practically relevant tasks, already carried out in Secoqc for the case of all-node- 
trusted networks. 

4 Secret-Key Agreement Over a QKD Net- 
work With Corrupted Nodes 

In this section, we discuss privacy and authenticity of secret keys generated over 
a trusted repeater QKD network with some corrupted nodes. We look at how to 
characterize adversaries in this model and how to achieve security of the secret 
keys generated over the QKD network against these adversaries. We compare a 
QKD-network approach to the related classical problem of perfectly secure message 
transmission over untrusted networks. We provide a mean by which Alice and Bob 
can verify the authenticity of secret keys generated over a QKD network. This point 
was originally addressed in the unpublished Secoqc Deliverable [36]. While the 
current paper has been in preparation two preprints with similar objectives [37J EH] 
have been published. The approach of the authors is similar to the one presented 
here, but the techniques used to verify the authenticity of the keys are different. 
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The advantage of our technique lies in its potential not only to differentiate between 
authentic and forged keys, but as discussed below, to help revealing malicious parties 
in some scenarios. 



4.1 The Basic Setting 

A straightforward strategy for Alice and Bob to generate a secret key unknown to 
any other single node in the network is to use two disjoint paths. The final key K 
between Alice and Bob is a secret shared by these paths. 
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Figure 3: Example:Two paths between Alice and Bob. 



Figure [3] shows an example where Alice and Bob will generate a secret key 
K = KS © KT using the keys KS and KT, which are secret-keys generated on 
each path. Of course, the secret-key of each path is generated using point-to-point 
QKD and the standard hop-by-hop mechanism. The secret-key K is secure and 
unknown to each path as long as the paths do not fully collaborate in a malicious 
way. It means that K is secure only if users can trust at least one path out of the 
two. In general, if Alice and Bob generate a secret-key K from t paths then K will 
be secure unless all t paths are dishonest and collaborate. We denote by {i^j}* =1 
the set of all t intermediary keys of length n and we let K := (Bi=i Ki where '(£)' 
denotes the bitwise exclusive-or. 

Notice that the point-of-view described above is relevant in practice when each 
path is owned by a single entity. In this case, nodes along a path do not have a 
life on their own but are rather representative of a single authority. When only one 
node misbehaves along a path, the entire path becomes dishonest. In this setting, 
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paths are rather static since they correspond to physical authoritie; 



4.2 Private Transmission Over Classical Untrusted Net- 
works 

We have informally discussed classical secure message transmission protocols in 
Section |2] A little bit more formally, perfectly secure message transmission protocols 
against i-bounded adversaries, i.e. adversaries controlling no-more than t nodes, 
should satisfy the two following properties: 

Guaranteed Delivery: No i-bounded adversary can prevent Alice's message to 
reach Bob, and 

Privacy: No i-bounded adversary has access to more than a negligible amount of 
information about the message sent by Alice. 

In this model, Dolev, Dwork, Waarts, and Yung|35 j have shown the following 
with respect to one-way communication links. Links are said to be one-way if the 
connectivity graph of the network is a directed graph. 

1. When all communication links are one-way without feedback, they show that 
it is necessary and sufficient to have 3i + 1 vertex disjoint directed paths from 
Alice to Bob. For any two nodes to be able to communicate privately, the 
network graph must be 3i + 1 connected (sufficient and necessary condition). 

2. When all communication links (edges in the graph) are two-way, they show 
that 2i + 1 vertex disjoint paths are necessary and sufficient for Alice and Bob. 
For any two nodes to be able to communicate privately, the network graph 
must be 2i + 1 connected (sufficient and necessary). 

Notice that privacy is more demanding than reliability since in order to have a 
private communication it is necessary to have a reliable one! More precisely, if in 
a point-to-point network an adversary can hack up to i nodes then a i + 1 vertex 
disjoint directed graph is sufficient for reliable communication alone. 

This model has been generalized by Desmedt and Wang[4Q] where they consider 
the possibility of using some feedback channels. Feedback channels become possible 
when the connectivity graph of the network is not one-way directed outside all 
nodes. When u feedback channels are vertex disjoint from the forward channels 
they show that: 

1. When there are 2(i — u) + 1 > i + 1 directed disjoint paths from Alice to Bob, 
private message transmission is possible against i-bounded adversaries where 
there are u directed node disjoint paths from Bob to Alice. As mentioned 
above, these u paths must also be node disjoint from the 2(i — u) + 1 paths 
from Alice to Bob. 

7 This basic model was introduced in one of the first cryptography deliverables of SECOQC [55] , 
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2. When there are 3t + 1 — u > 2t + 1 directed disjoint paths from Alice to Bob 
and u directed paths from Bob to Alice (where as before paths from Alice 
to Bob and paths from Bob to Alice are node disjoint) it is possible to have 
private message transmission against t-bounded adversaries. 

These results were improved in by giving necessary and sufficient conditions for 
private message transmission with feedback. Again for the case where the feedback 
channels are vertex disjoint from the forward channels, we have: 
Theorem l.[[41j] Assume there are u directed node disjoint paths from Bob to 
Alice, vertex disjoint from the forward channels. Then a necessary and sufficient 
condition for private message transmission from Alice to Bob against any t-bounded 
adversaries is that there are max{3t + 1 — 2u, 2t + 1} directed node disjoint paths 
from Alice and Bob. 

Notice that all these results put serious restrictions on the number of available 
disjoint paths between the two parties who want to communicate privately. Without 
feedback, in order to protect against a mere 3 corrupted nodes, Alice and Bob must 
be able to communicate through 10 disjoint paths while if all connections are two- 
ways then 7 paths are required. 

4.3 Differences with the QKD Setting 

In this section we quickly and roughly discuss the main differences between the 
classical and the QKD (trusted repeater) setting for private communication on un- 
trusted networks. 

The most obvious difference between the two settings is that while in the clas- 
sical case messages are transmitted, a QKD network is mainly concerned with key 
distribution. This difference is only cosmetic. It is easy to see that private mes- 
sage transmission implies the ability to distribute secret-keys and that the ability 
to distribute key implies the ability to send private messages. In other words, the 
functionalities achieved in both settings are equivalent. 

Like for private classical message transmission, privacy of secret-keys generated 
through a QKD network can only be guaranteed if different paths do not overlap. 
If a corrupted node N* is part of all quantum paths between Alice and Bob then no 
private communication (or key) can possibly be established. Therefore and unless 
nodes taking place in more than one paths are incorruptible, we can focus on network 
architectures with non-overlapping paths. 

While for classical private message transmissions point-to-point private commu- 
nication is assumed between any neighboring nodes, in a QKD network no such 
assumption is required since private point-to-point communication is provided by 
QKD. It follows that all private message transmissions protocols and in partic- 
ular the ones of [35, HOJ SI] can be implemented using QKD to provide private 
point-to-point communications between neighboring nodes. Using these classical 
constructions would allow for key distribution and private communication against 
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more general network architectures than the one depicted in Fig. [3] Moreover, when 
QKD is used to implement private point-to-point communication in the construc- 
tions of |35| l4"0] for instance, t-bounded adversaries can in addition to controling 
any t nodes, eavesdrop the classical communication between any other pair of nodes. 
If in addition the adversary eavesdrops the quantum channel then although it be- 
comes possible to implement a denial of service attaclj^] no information on a secret 
key successfully generated can be obtained. 

Then, how come that the situation depicted in Fig. [3] allows for Alice and Bob 
to agree upon a secret against any 1-bounded adversaries while there are only 2 
disjoint paths in the network? This seems to do better than the necessary 2t + 1 
paths of |35j. The answer is that in the situation depicted, Alice's and Bob's keys 
were not required to be identical but only to be both unknown to the adversary. It 
is straightforward for one corrupted node to prevent Alice and Bob from agreeing 
on an identical key. Moreover, Alice and Bob will not be able to detect that they 
do not share a private key unless they already share an authentication key used to 
establish the correctness of a newly generated secret key. Unlike for the classical 



case described in Sect. 4.2 the rough setting described above does not address the 
problem of guaranteed delivery. This may have important consequences for the 
security of the architecture. Such weakness is not a desirable property for any 
network architecture providing privacy. However, guaranteed delivery seems to be 
asking for too much since QKD never guarantees successful key generation; a denial 
of service attack is always possible in principle. 

This circumstance calls for a slightly weaker delivery condition in the QKD- 
network case in comparison to the fully classical setting. Instead of guaranteed 
delivery, it is more appropriate to require either an authentic delivery to both parties 
(the keys of Alice and Bob coincide and they know it) or a notification of network 
failure. More formally we require a delivery condition which is analogous to an ITS 
end-to-end key establishment between two arbitrary nodes (Alice and Bob) over the 
network. 

Authenticity: Any two parties Alice and Bob can send classical messages between 
them in a way that will either guarantee delivery and therefore K A = K B or 
lead to a notification of a network failure. This is weaker than the guaranteed 



delivery criterion discussed in Section 4.2 

Privacy: No adversary has information about neither K A nor K B generated by 
Alice and Bob during key generation. In particular, when K A = K B the 
adversary has no information about the secret key. 

Notice that for the sake of clarity we have deliberately simplified the definition 
by omitting the e(n) notation although we keep it in mind. 



8 Too much eavesdropping on the quantum channel will cause two neighbouring nodes to abort the 
key generation. 
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4.4 Achieving Privacy and Authenticity in QKD-Networks 



In order to achieve both authenticity and privacy in a QKD-network, it must sat- 
isfy conditions similar to the ones we have seen in Theorem 1. In particular, two 
parties who want to exchange a secret-key do not in general share an authentica- 
tion key. It follows that testing the authenticity of a newly generated secret-key 
must be performed by transferring an authentication tag through a network where 
some nodes are corrupt. We shall see in the following that authenticity is guaran- 
teed against any {£ — l)~bounded adversary if there are £ disjoint paths. Security 
of the resulting secret-key is also guaranteed against (£ — l)-bounded adversaries 
according the security criterion of Sect. 4.3 while it is guaranteed against any (£—2)— 
bounded adversaries according a more stringent privacy criterion that we introduce 



in Sect. 4.4.1 This is in any case better than the constructions discussed in Sect. 4.2 



that, while satisfying the stronger security notion of guaranteed delivery, are secure 
against i-bounded adversaries only if 2t + 1 disjoint channels are available. 

Let us get back to authenticity and privacy of the secret-keys generated in a 
QKD-network. 



4.4.1 Privacy 

What do we mean when we say that a key obtained by Alice and Bob is private? 
It is certainly not completely private since keys are also known to an adversary 
controlling all paths. Even if one path is not under the control of the adversary, 
Alice and Bob do not want their keys to be known by any node along a honest path. 
In other words, trusted nodes should never get any information about secret keys 
generated through thenj^j 

Remember how secret keys are generated when Alice and Bob are connected 
through i disjoint paths P\, P%, . . . , Pg. Let Kf and Kf be Alice's and Bob's secret 
key respectively obtained from path P{, 1 < i < £ using QKD between neighbors. 
Alice and Bob then set their secret key as: 

i^:=0i^ and K B :=®Kf. 

i=l i=l 

When no adversary acts actively, the key generation is such that Kf = Kf for all 
1 < i < £ and therefore K A = K B . 

Notice that any t-bounded adversary A can only learn keys Kf and/or Kf if 
Pi is under the control of A. This is guaranteed by the privacy of QKD between 



9 Consider an honest path between Alice and Bob belonging e.g. to an organization related to them. It 
could happen that Alice and Bob want to share sensitive information about the organization of this very 
path. Even if by definition the path is honest and always properly executes the communication protocol, 
it could still be curious. Obviously in many cases, as the one just outlined, Alice and Bob would prefer 
that their communication remains private, i.e. unknown to the path. 
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neighboring nodes. Let C . . . , j^} be the set of paths under the control of 
A. Since A is i-bounded we have that \S^\ < t. By construction, any Kf and Kf 
with Pi £ Sj± is completely unknown to A. It follows that both final keys K A and 
K B are unknown to A as soon as I > t. Let us be more precise. Keys of length 
n generated by QKD between honest neighbors are guaranteed to be e(n)-private 
against any third party. (In Section [2] we have already pointed out that a key K 
is e(n)-private if given the state of the adversary, K is e(n)-indistinguishable from 
a random n— bit string.) Keys K and K B must therefore be e(n)-private against 
any (I — l)-bounded adversary A. In other words, 

Lemma 1. Let K A = ®{ =l K A and K B = ®\ =x Kf be such that {K A } e i=1 and 
{Kf}f =1 have been generated through disjoint paths P\,...,Pi where (K A ,K B ) is 
e(n) -private and satisfies K A = Kf when Pi is a honest path. Then, (K A ,K B ) 
is e(n)-private against any (£— \)-bounded adversary but not necessarily such that 
K A = K B . 

As stated in the above lemma, A can certainly prevent Alice and Bob from 
generating K A = K B . It suffices for one adversarial node to make its neighboring 
node to believe they share a key while in fact they don't. It is sufficient for A to send 
classical messages different from what is expected in order for K A 7^ K B . Although 
such attack will not allow A to learn anything about K A and K B , it ensures that 
no secure transmission can take place between Alice and Bob even though they are 
not aware of this fact. 

The authenticity of K A and K B should therefore be checked upon all new key 
generations. 

Another important point regarding privacy is the following. Suppose an ad- 
versary controls £ — 1 paths Pi, ... , Pi—\. The honest path Pi without behaving 
dishonestly could be able to determine Alice and Bob's secret key if the adversary 
decided the broadcast {Kf} 1 ^. Moreover, a dishonest path could be tempted to 
publish all information they gather in order to implement a denial of service attack. 
Publishing this information means that honest-but-curious paths would be able to 
decipher any communication between the end users. This could deter users to use 
their keys. It would therefore be desirable to enhance privacy against honest-but- 
curious paths this way. 

Privacy Against Ho nest-but- Curious Paths: Privacy is guaranteed against hon- 
estly behaving paths that happen to learn information from adversarial paths 
posting their secret information. Privacy in this case can be enforced simply 
by having at least 2 honest (but maybe curious) disjoint paths. 

Clearly, if two paths are honest (but curious) and even in the case when the 
adversary publishes everything she knows, none of the curious but otherwise honest 
path learns anything about the secret key. This follows since the secret key is 
shared among two honest parties who therefore never publish any of their private 
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information. 



4.4.2 Authenticity 

As mentioned above, in a QKD-network it is desirable to pre-distribute authenti- 
cation keys only for point-to-point connections. This choice limits drastically the 
complexity of initial key distribution phase required before key material can start 
being generated. It follows that in this model, Alice and Bob do not necessarily 
have an authentic channel they could use for testing the authenticity of a newly 
generated key. As discussed in the previous subsection, it is important for any pair 
of users to be able to guarantee the authenticity of a newly generated secret key 
even though they don't have access to an authentic channel between them. 

It follows that authentication tags must be sent through channels that may be 
under the control of the adversary. The key authentication process must guarantee 
that Alice concludes that K A = K B if and only if Bob concludes that K B = K A . 
Clearly, we also want that when K A = K B Alice and Bob identify this case with 
success. 

There are different methods to get this working. Suppose Alice and Bob have 
generated keys K A and K B respectively where both are n-bit strings. They now 
want to establish the authenticity of their respective key. This process should work 
when any t paths out of £ disjoint paths are under the control of the adversary A. 
That is, the authenticity or non- authenticity of a secret key should be guaranteed 
against i-bounded adversaries. 

Remember from Section [4.4.1 that over I disjoint paths, no t-bounded adversary 



for t < I gets to know anything about both K A and K B . It suggests to use part of 
K A and K B to authenticate K A and K B through the i disjoint paths from which 
each partial keys {K A }| =1 and {Kf}^ =1 has been generated. 
This can be done as shown in the following example. 



4.5 Example of a Simple QKD-Network 

For simplicity, let us get back to the example of Figure [3] where Alice and Bob use 
two non-overlapping paths Pi and P2 to perform a key exchange. In this case, the 
secret key K A and K B must be authenticated and acknowledged even when P\ or 
P2 is under the control of the adversary. From privacy however, when Alice and Bob 
happen to have K A = K B they in fact have an authenticated channel between them. 
Assume that MAC K (M) is the tag of a message authentication code for message 
M under secret key k. Suppose also that MAC K can be used to authenticate two 
messages securely against impersonation even if both tags have been computed with 
the same key k. 

One simple way to proceed in order to verify that K A = K B in this scenario is 
as follows. 
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• Alice and Bob pick the s first bits of their respective keys denoted by k a = 
{K A )i... s and k b = (K B )\,__ S . Alice and Bob set K A = (K A ) s+1 ,„ n and K B = 
(K B ) s+1 ,„ n respectively. 

• Alice picks random A„ £r {0, l} n_s , for 1 < v < m where m and s are security 
parameters. Alice then sets Ma '■= (A„, \ V QK A)i< v <m G {0, where 
'0' denotes the inner product mod 2. 

• Alice sends M A to Bob together an authentication tag: 

T := MAC KA (M A ) := MAC KA ((A„, A„ K A ) 

Kv<mJ- 

The transmission of (M A , T) is made through paths Pi and P2 (that is through 
all paths). 

• Let Mi and M2 be the message received from path P\ and P2 respectively. 
Bob, upon reception of M\ — M2 — ((X' v , r v )\<_ v <_ rn ^ T), verifies that 

T := MAC KB ((X' V , X' v Kb) Kv<mJ- 
Since for A^ chosen at random in {0, l} n , when K A 7^ Kb 

Pr (A„ K A + \ v K B ) = ^ 

it follows that if Ka 7^ -f^s then Bob will observe at least one 1 < v* < m such that 
A^* QKb 7^ r v * except with probability 2~ m . When Bob verifies that T is well formed 
and that for each 1 < v < m, \' v K B = r v then he outputs res := ok. Notice that 
when Mi 7^ M2 and one Mfe,6 G {1,2} is a properly authenticated transmission 
of Ma then Bob can still set res := ok in addition to identify that path -P3-6 is 
dishonest. Otherwise, when M\ and M2 are not properly authenticated with key 
kb, Bob outputs res := fail. Bob also outputs res := /oi/ if he finds at least one 
v*, 1 < v* < m such that A^,* Kb / r v *. Bob then authenticates the output res 
by computing the tag 

T' := MAC KB {res). 

As for Alice's transmission, Bob sends Mb '■= (res, T') through each path Pi and 
P2. Alice receives M{ and M' 2 from Pi and P2 respectively. If neither M[ nor 
is properly authenticated with session key ka then Alice concludes that Ka / K B - 
If Bob has determined that K A = Kb then (res, T') is a properly authenticated 
message with key ka and can therefore be checked by Alice. Since at least one of Pi 
or P2 is honest, Alice will get Bob's message Mb in M[ or M' 2 (or both!) and this 
can be checked since messages are authenticated. This means that if either Pi or 
P2 misbehaves during the transmission of Mb then Alice will be able to identify the 
dishonest path. It follows that when Bob concludes Ka = K B then Alice reaches 
the same conclusion. Moreover, when Ka 7^ Kb Alice also determines it since no 
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message among M[ and M' 2 is properly authenticated since ka ^ kb and since 
MAC is a secure authentication scheme. Notice that no adversary (controlling one 
path in this case and £ — 1 paths when there are £ disjoint paths) can forge an 
authenticated message since from the discussion of Section 4.4.1 the adversary has 
no information about neither K A nor K B and therefore neither ka nor Kb- 



4.6 Providing Secret Key Authenticity 

In this section, we describe how Alice and Bob can determine the authenticity of a 
newly generated secret key given that they use a secret-key generation over £ > t 
disjoint paths Pi, . . . , Pg. We assume that MAC K (M) denotes the authentication 
tag of message M using key k £ {0, 1} S . For simplicity, we also assume that MAC 
is secure against impersonation even given two messages-tags pairs authenticated 
with the same key. These schemes are easy to construct and we will discuss this 
point in Section |4.9[ In the following, we denote by p± m the probability of successful 
impersonation even after having seen two pairs message-tag. 

Now, we have to make an assumption about the behavior of honest paths. When 
Alice sends a message M to Bob through honest path P, M is sent from node-to- 
node until it reaches Bob. Each transmission between neighboring nodes Ni and 
iVj-fi is authenticated. An adversary however could, in theory, prevent M from 
reaching iVj+i. If this is the case, Alice could be unaware of Bob's status since she 
never received his last message. This suggests to consider quantum networks where 



Any classical message M from neighboring nodes N to JVj+i along 

a honest path will eventually reach Ni+%. (2) 

The reason why this assumption does not seem to be too strong is the following. 
Any neighboring nodes Ni and iVj+i share an authentication key. They can therefore 
use any network connecting them in order to transmit authenticated information. 
Although possible, it is unlikely that an adversary can succeed in preventing N and 
Ni+i from communicating forever. In practice, the internet can almost be considered 
as a network where information between parties is always delivered. Notice also that 
if messages between neighboring nodes cannot be delivered then the privacy of keys 
will never be compromised but only the agreement between the end users upon 
whether their respective keys are identical is. 



The following procedure generalizes the approach described in Section [43] to the 
case where the number of channels is arbitrary. We shall prove in the following that 
this scheme provides a secure way of verifying the authenticity of the secret keys 
under assumption 

1. Public information: \K A \ = \K B \ = n, m < n — s (security parameter for the 
probabilistic test of K A = K B ), and s < n (the key size for a public MAC), 
and £ > 2 (number of disjoint paths). 
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2. Alice sets ka '■= {K )i„. s , and Ka '■= (-^ )s+i...n and similarly Bob sets 
k b := (^ B )i... s , and K B := (K B ) s+1 ... n . 

3. Alice picks random n — s-bit strings Er {0, l} n ~ s for u = 1 . . . m. She forms 
the m(n — s + l)-bit string Ma '■= (Ai||Ai Ka, ■ ■ ■ , A m ||A m Ka) where '||' 
denotes string concatenation. She computes the tag T associated to Ma- 

T ■= MAC KA (M A ). 

4. Alice sends copies of (Ma,T) to Bob through each path P%, . . , ,Pg. Along 
each path Pi, (M A ,T) is transmitted from point to point in an authentic way 
using the authentication key shared between neighbors. 

5. Bob collects all messages (Mi, . . . , Mi) received from paths Pi, ... , Pg. Bob 
locates one 1 < h < £ such that M h = {M\, T h ) and T h = MAC KB {M h A ). If 
such h cannot be found then Bob sets result = 0. Otherwise, Bob verifies 
that for M\ = ( 1 1 A' x Kb, ■ ■ ■ , A' m ||A' m Kb). If this is not the case then 
result = otherwise Bob sets result = 1. 

6. Bob sends (result, T") where T' = MAC Kg (result) through each path Pi 
the same way as Alice did it for (Ma,T). Let M{, . . . , Mi be all messages 
received through each path P\, . . . , Pg. 

7. Alice verifies that for some 1 < h' < £, M h , = (r", T") where T" = MAC KA (r") 
and r" £ {0, 1}. If it is not the case then she sets result' = 0, otherwise she 
sets result' = r". 

8. final step: 

• If result = 1 Bob accepts key Kb as a newly authenticated secret key 
with Alice. Otherwise, Kb is discarded. 

• If result' = 1 then Alice accepts key Ka as a newly authenticated secret 
key with Bob. Otherwise, Ka is discarded. 

Notice that it is important that at least one copy of both M A and result even- 
tually reaches its intended receiver. Otherwise, Bob after detecting Ka = Kb could 
leave Alice unaware of this fact if the adversary prevent message Mb from ever 
reaching Alice untampered with. In this case Alice would conclude that Bob ob- 
served Ka Kb- Under assumption [2] however, it is guaranteed that Alice and 
Bob agree on the output of the authentication process. Moreover, when Ka = Kb 
is agreed upon by Alice and Bob then Ka = Kb except with vanishingly small 
probability. Before proving this, let's denote by 8k,k' the function that returns 1 if 
K = K' and otherwise where K and K' are bit strings. We're now ready to prove 
the correctness of the key authentication process. 

Lemma 2. Assume Alice and Bob have generated e(n) -private secret keys K A E 
{0, l} n and K B G {0, l} n through disjoint paths Pi, ... , Pg-i, and Pi under assump- 
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tion The secret key authentication process results in 

Pr (result = result' = 5 Ka , Kb ) > (1 - e(n))(l - 2- m )(l - p lm ) 2 ^ 2 . (3) 

Proof. Suppose first that K A and K B are uniform and random from any i-bounded 
adversary. This happens with probability at least 1 — e(n) by definition of e(n)- 
privacy. 

Second, suppose that K A = K B . By assumption there exists at least one 
h such that M h = {M%T h ) and T h = MAC KB {M\). The probability p n0 - del that 
M/j = (Mh, ^ (Myi, T) is no more than the probability that one impersonation 
of adversary A succeeds. By definition of the impersonation probability p im for the 
MAC scheme, we have 

Pno-del < 1 - (1 - Pim)^ 1 (4) 

since the adversary is {I — l)-bounded. Upon successful delivery of (M^, T), Bob 
always sets result = 1 since the equality test never gets it wrong when K = 
K B . Bob's message (result, T") to Alice will also be received as such by the same 
probability p n o-dei as defined in Q. It follows that, 

Pr (result = result' = 1\K A = K B ) > (1 - p im ) 2£ ~ 2 . (5) 

Third, assume that K A ^ K B . As when K A = K B , Bob will successfully receive 
(Ma,T) except with probability p n o-dei- Either Bob manages to find h such that 
M h = (M\,T h ) and T h = MAC KB (M\) or not. If not then by assumption [2] it 
follows that K 7^ K B and Bob will set result = 0. By the argument that lead to 
^ we have, 

Pr (result = result' = 0\K A / K B , (V/i)[T h / MAC Kb (M\)\) 

><!-«.)»-'. (6) 

Finally, suppose that there exists h such that M h = (M% T h ) and T h = MAC KB (M%). 
Except with probability at most p no -dei it is the case that (M\,T h ) = (Ma, T). In 
particular, it means that Bob knows A„ Ka and A,, for all 1 < v < m. Provided 
Ka 7^ K B , Bob will determine this fact except with probability p e rror 

< 2- m . Using 

the same argument as the one that lead to we get 



Pr (result = result' = 0\K A + K B ,T h = MAC Kb (M\)) 

> {l-2- rn )(l- Pi 



(7) 



-'lm / 



Putting ([5]), @, and Q together leads to ^ aft er an extra multiplicative factor 
of (1 — e(n)) is added since the analysis above holds when K A and K B are uniform 
and random from the adversary's point of view which happens with probability 
1 - e(n). □ 
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4.7 Recovery from Privacy Losses 



Lemma 2 tells us that results of both parties coincide and represent the answer 

? 

to the question Ka = Kb except with negligible probability. What the theorem 
does not tell us is how much privacy is preserved by the authentication process. In 
particular, all parity checks {A^ Ka\™ = \ leaks m bit of information about the key 
to the adversary. How do Alice and Bob get rid of this extra leakage? One way 
to do it would be to use privacy amplification but this seems an overkill. Using 
the interpretation of e(n)-privacy, Alice and Bob can do better without the need 
to agree upon a random hashing function or to communicate. That is, privacy 
amplification can be performed by a deterministic process. 

Let us describe what Alice would do to remove the information on Ka £ 
{0, l} n ~ s leaked by the parity check sent to Bob during the authentication process. 
Suppose furthermore that the original K A was e(ra)-private toward any (£ — 1)- 
bounded adversary as guaranteed by Lemma 1. The following procedure gets rid of 
all extra information leaked during the key-authentication process provided it was 
successful. 

1. Let {A^j^-L be the set of parity checks sent by Alice to Bob during the key 
authentication process. Suppose the process was successful (i.e. result' = 1) 
was initially run upon an e(n)-private key K A . The following produces a final 
e(n)-private secret key K* A . 

2. Set the set of trashed bits to be initially empty 13 := 0. 

3. For each 1 < v < m do: 

(a) Find the smallest 1 < i < n — s such that A V) j = 1 such that i ^ 13. 

(b) If such i exists then 13 := 13 U {i} otherwise do nothing. 

4. Set K* A := Ka — 13 (i.e. in other words, we remove from Ka all positions 
i e 15). 

Bob can certainly perform the exact same procedure on his side since he knows 
{\v}™ =1 upon result = 1. Clearly, if K A = K B then K* = K\ = K* B and 
K* is shorter than Ka and Kb by at most m-bits. This is optimal since m bits 
of information about Ka (and Kb\) are disclosed by the key authentication process. 

Lemma 3. The deterministic privacy amplification procedure described above when 
run upon key K = Ka = Kb £ {0, l} n ~ s that were initially (before the parity 
checks were revealed) e(n) -private produces an e{n) -private final secret-key K* G 
{0, 1}"" 5 "™. 

Proof. Let K = Ka = Kb be the keys agreed upon after the key authentication 
process was successful. Suppose that K is really uniform and random from the ad- 
versary's point of view. Then, each time a new bit at position i is removed at Step[3b| 
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when inspecting A^ all bits in the remaining positions remain uniformly distributed 
given Ai OK, . . . , X v ©K . If such a position i cannot be found then obviously X V QK 
does not leak any extra information about K* since all bits (which are uniform and 
random) involved in the new parity check have already been removed from Ka- 

In fact K is not uniform and random from the adversary's point of view but 
rather e(n)-private. However, except with probability e(n), K really behaves like 
a uniform and random key from the adversary's perspective. It follows that except 
with probability e(n), the deterministic privacy amplification process produces a 
uniform and random key K* against the adversary. It follows that K* is e(n)- 
private. □ 

We shall call this privacy amplification scheme deterministic privacy amplifica- 
tion since it is deterministic and does not involve any communication between Alice 
and Bob. 



4.8 Putting Things Together 



We are now ready to provide the final statement regarding the key authentication 
scheme described in the previous sections. By key authentication process we loosely 

That is, it includes the 



mean the procedures described in Sections |4.6| and 4.7 
deterministic privacy amplification procedure run independently by Alice and Bob 
after the authentication process described in Sect, 
result = result' = 1. 



4.6 has resulted in a success: 



Theorem 2. Let K* A G {0, l} n ~ s -™ and K* B G {0, l} n - s ~ m be the final secret 
keys generated after key authentication and deterministic privacy amplification as 
described above upon initial e(n) -private K A , K B G {0, l} n . Suppose the MAC used 
during key- authentication has impersonation probability at most p± m even given two 
message-tag pairs authenticated with the same key. Then, against any (£ — X)- 
bounded adversary we have, 

Pr (result = result' = 8 K1>K * B ) > (1 - e(n))(l - 2~ m )(l - p im ) 2 ^ 2 , 

and K* A and K* B is 2~ m + 2£p im + 2e(n) -private. If in addition the adversary is 
(£ — 2 )-bounded then the final secret key remains private the same way against 
honest-but- curious paths. 

Proof. The only thing that does not directly follows from Lemma 2 and 3 is 
the statement about the privacy of K* A and K B . Privacy only makes sense when 
result = result' = 5k* a ,k^ = 1- When this applies however the final secret-key 
K* = K A = K* B is e(ra)-private as it was shown in Lemma 3. The result follows 
immediately. □ 
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4.9 What MAC to Use? 



Any authentication scheme with small enough impersonation probability p± m can be 
used by Alice when she sends Ma- The authentication schemes used in Secoqc fol- 
low |42l I43j . These authentication schemes can also be used for key- authentication. 
However, the impersonation probability p im should hold even given two message-tag 
pairs generated using the same key. 

This can be achieved the obvious way by setting ka = (k'a, k' a ) = (iv )i...2s and 
= { k 'b> k b) = {K B )i~-2s in the key authentication process. Alice authenticates 
message Ma with sub- key k! a which Bob verifies with sub- key k! b . Bob's message 
Mb is authenticated with sub-key k" b while Alice verifies with sub- key k" a . Clearly, 
if the MAC scheme has impersonation probability at most p± m given one message- 
tag pair then this way of authenticating as impersonation probability at most 2p im 
against two message-tag pairs generated with the same key. There are many other 
ways of building MACs suitable for our application [24. The one mentioned above 
is probably the simplest but certainly not the best one in terms of key size. 

5 Conclusions 

In this paper we have reviewed the concept of a QKD network and have discussed 
different models of QKD networks. We have in particular focused on trusted re- 
peater networks and have studied the case when part of the nodes are not to be 
trusted and could be arbitrarily malicious. We have shown how to ensure that Alice 
and Bob share identical and private keys after key generation over the network. 
We suppose that Alice and Bob do not share key material to start with. They 
only share keys with their direct neighbours. However, we suppose that classical 
messages through honest paths are eventually delivered to their intended recipient 
(assumption Q). 

We conclude that secret keys can be generated through £ disjoint paths in a 
private and authentic way against (£ — l)-bounded adversaries and against (£ — 2)- 
bounded adversaries with honest-but-curious paths. 

It should be noted that assumption ([2| can be relaxed further without unde- 
sirable consequences for the security of the key authentication process. It suffices 
for only one honest path to eventually deliver classical information to the intended 
receiver. This does not modify by any means neither the protocol nor its security 
analysis. Indeed, an honest path will always allow parties to agree upon the au- 
thenticity of the secret key. Only one properly authenticated message from Alice 
to Bob and one from Bob to Alice is sufficient to assess the equality of both keys. 
Otherwise, if the keys are different then both parties will anyway conclude that keys 
do not match. 
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